godot-dialogue-system

Warn

Audited by Gen Agent Trust Hub on May 27, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The load_dialogue function in scripts/dialogue_manager.gd (and associated documentation in SKILL.md) utilizes Godot's load() function with a dynamic string path. Since Godot resources can contain script components, this pattern allows for arbitrary code execution if the path points to an untrusted or attacker-controlled resource file.
  • [REMOTE_CODE_EXECUTION]: The DialogueOption resource defined in scripts/dialogue_option_data.gd includes a condition_script field intended for storing GDScript snippets. This design facilitates dynamic code evaluation at runtime, which poses a severe risk if the dialogue resources are sourced from external or unverified origins.
  • [DATA_EXFILTRATION]: The load_dialogue_graph function in scripts/dialogue_engine.gd uses FileAccess.open() with a user-provided file_path. Without explicit path validation or restriction to the res:// or user:// scopes, this implementation allows for Local File Inclusion (LFI), potentially exposing sensitive system files to the application.
  • [COMMAND_EXECUTION]: The _on_line_started function in scripts/dialogue_event_bridge.gd emits global signals based on the event_signal metadata property of dialogue nodes. This allows for logic injection where a malicious dialogue file can trigger sensitive internal game functions through the GlobalBus signal system.
  • [PROMPT_INJECTION]: The dialogue engine processes narrative data containing execution triggers (like [trigger:event]) without sanitization, creating a surface for indirect injection.
  • Ingestion points: load_dialogue in scripts/dialogue_manager.gd and load_dialogue_graph in scripts/dialogue_engine.gd.
  • Boundary markers: Absent; dialogue text and metadata are processed directly without delimiters or instruction-ignore guards.
  • Capability inventory: Arbitrary resource loading via load(), file system access via FileAccess, and global signal broadcasting via emit_signal().
  • Sanitization: None; the BBCode parser in scripts/dialogue_engine.gd removes tags for display but does not prevent the underlying event signals from being fired.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 27, 2026, 04:17 PM
Security Audit — agent-trust-hub — godot-dialogue-system